Fast Exhaustive Search for Polynomial Systems in F2

We analyze how fast we can solve general systems of multivariate equations of various low degrees over \({\mathbb{F}_{2}}\); this is a well known hard problem which is important both in itself and as part of many types of algebraic cryptanalysis. Compared to the standard exhaustive search technique, our improved approach is more efficient both asymptotically and practically. We implemented several optimized versions of our techniques on CPUs and GPUs. Our technique runs more than 10 times faster on modern graphic cards than on the most powerful CPU available. Today, we can solve 48+ quadratic equations in 48 binary variables on a 500-dollar NVIDIA GTX 295 graphics card in 21 minutes. With this level of performance, solving systems of equations supposed to ensure a security level of 64 bits turns out to be feasible in practice with a modest budget. This is a clear demonstration of the computational power of GPUs in solving many types of combinatorial and cryptanalytic problems.

[1]  Gregory V. Bard,et al.  Algebraic and Slide Attacks on KeeLoq , 2008, FSE.

[2]  Jean-Charles Faugère,et al.  Differential-Algebraic Algorithms for the Isomorphism of Polynomials Problem , 2009, IACR Cryptol. ePrint Arch..

[3]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[4]  Antoine Joux,et al.  Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases , 2003, CRYPTO.

[5]  Jintai Ding,et al.  Flexible Partial Enlargement to Accelerate Gröbner Basis Computation over F2 , 2010, AFRICACRYPT.

[6]  Tanja Lange,et al.  ECM on Graphics Cards , 2009, IACR Cryptol. ePrint Arch..

[7]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[8]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[9]  B. Salvy,et al.  Asymptotic Behaviour of the Degree of Regularity of Semi-Regular Polynomial Systems , 2022 .

[10]  Bo-Yin Yang,et al.  Theoretical Analysis of XL over Small Fields , 2004, ACISP.

[11]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[12]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[13]  Jacques Patarin,et al.  QUAD: A Practical Stream Cipher with Provable Security , 2006, EUROCRYPT.

[14]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[15]  Louis Goubin,et al.  FLASH, a Fast Multivariate Signature Algorithm , 2001, CT-RSA.

[16]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[17]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[18]  Louis Goubin,et al.  QUARTZ, 128-Bit Long Digital Signatures , 2001, CT-RSA.

[19]  Luk Bettale,et al.  Hybrid approach for solving multivariate systems over finite fields , 2009, J. Math. Cryptol..

[20]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[21]  Gregory V. Bard,et al.  Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers , 2007, IACR Cryptol. ePrint Arch..

[22]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[23]  Bo-Yin Yang,et al.  On Asymptotic Security Estimates in XL and Gröbner Bases-Related Algebraic Cryptanalysis , 2004, ICICS.

[24]  J. Faugère,et al.  On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations , 2004 .

[25]  Hideki Imai,et al.  Algebraic Cryptanalysis of 58-Round SHA-1 , 2007, FSE.

[26]  Louis Goubin,et al.  Improved Algorithms for Isomorphisms of Polynomials , 1998, EUROCRYPT.

[27]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[28]  David Naccache,et al.  Topics in Cryptology — CT-RSA 2001 , 2001, Lecture Notes in Computer Science.

[29]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[30]  A. Benjamin,et al.  Proofs that Really Count: The Art of Combinatorial Proof , 2003 .

[31]  Håvard Raddum MRHS Equation Systems , 2007, Selected Areas in Cryptography.

[32]  Jacques Patarin Hidden Field Equations (hfe) and Isomorphisms of Polynomials (ip): Two New Families of Asymmetric Algorithms -extended Version , 1996 .

[33]  Antoine Joux,et al.  A family of weak keys in HFE and the corresponding practical key-recovery , 2012, J. Math. Cryptol..

[34]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[35]  Igor A. Semaev,et al.  New Technique for Solving Sparse Equation Systems , 2006, IACR Cryptology ePrint Archive.

[36]  Jacques Patarin,et al.  Asymmetric Cryptography with a Hidden Monomial , 1996, CRYPTO.

[37]  W. Marsden I and J , 2012 .

[38]  Charles E. Leiserson,et al.  Cache-Oblivious Algorithms , 2003, CIAC.